SUC011 : Activities on 62550/UDP destination port – d1:ad2:id20

  • Use Case Reference : SUC011
  • Use Case Title : Activities on 6250/UDP destination port
  • Use Case Detection : Firewall / IDS
  • Targeted Attack : N/A
  • Identified tool(s) : BitTorrent clients
  • Source IP(s) : Random
  • Source Countries : Random
  • Source Port(s) : Random
  • Destination Port(s) : 62550/UDP
Payload example :
000 : 64 31 3A 61 64 32 3A 69 64 32 30 3A AC 41 FC A5   d1:ad2:id20:.A..
010 : 70 55 ED 54 F8 0A 70 A8 C0 A0 DB D9 55 69 BE 5A   pU.T..p…..Ui.Z
020 : 65 31 3A 71 34 3A 70 69 6E 67 31 3A 74 34 3A B8   e1:q4:ping1:t4:.
030 : 8F 00 00 31 3A 76 34 3A 55 54 48 38 31 3A 79 31   …1:v4:UTH81:y1
040 : 3A 71 65                                          :qe
Possible(s) correlation(s) :
  • P2P BitTorrent DHT Queries for Trackerless Torrents

Source(s) :

These activities are real false positives if they match the “d1:ad2:id20” UDP content. You could ignore them, and also to no more receive these kind of activities we recommend you to block ICMP response on your servers.

24 hours destination port 62550 events
24 hours destination port 62550 events
1 week destination port 62550 events
1 week destination port 62550 events
1 month destination port 62550 events
1 month destination port 62550 events
1 year destination port 62550 events
1 year destination port 62550 events
source ports repartition for destination port 62550
source ports repartition for destination port 62550
source countries repartition for destination port 62550
source countries repartition for destination port 62550